How a cyber-gang with a posh name stole millions from private equity firms
A cybercrime gang with a moniker reminiscent of a Bond villain has pulled off a sophisticated cyber heist, taking NZ$2.7 million from three different British private equity firm, according to new data from Check Point Research.
The gang, dubbed ‘The Florentine Banker’ by researchers, succeeded in its campaign by manipulating email correspondences, registering lookalike domains, and cashing out in phases.
Four separate bank transactions attempted to transfer $2.3 million to unrecognised bank accounts.
Emergency intervention by Check Point enabled the recovery of only $1.2 million, leaving the rest as permanently lost funds.
Researchers concluded that there are potentially more targets in the Florentine Banker’s sights, after recovering several purchased domains unrelated to the other three targets.
The Florentine Banker’s strategy
After selecting a target, the Florentine Banker initiates its attack by setting up a targeted phishing campaign against key people inside the victim’s company, CFOs or other executives who oversee funds.
The first phishing emails targeted only two personnel, of which one provided their credentials.
The phishing attacks then continue, persisting for weeks in alternating methods, occasionally adding new individuals to the list of targets until the attackers gain a panoramic view of the entire financial picture of the company.
After gleaning high-level credentials from the victims, the Banker’s plan is then separated into five distinct categories:
Once the attackers gain control over the victim’s email account, they start reading their emails.
The Florentine Banker can spend days, weeks or even months doing reconnaissance before actively intervening in the communication, patiently mapping the business scheme and procedures.
Control and isolation
The attackers start to isolate the victim from third parties and internal colleagues by creating malicious mailbox rules.
These email rules divert any emails with filtered content or subjects into a folder monitored by the threat group, essentially creating a ‘man-in-the-middle’ attack.
The attackers register lookalike domains - domains that look visually similar to the legitimate domains of the entities involved in the email correspondences they want to intercept.
The attacker then sends emails from the lookalike domains. They either create a new conversation or continue an existing one - thus deceiving the target into presuming the source of the email is legitimate.
The attackers begin injecting fraudulent bank account information by both intercepting legitimate wire transfers and generating new wire transfer requests.
The Florentine Banker manipulates the conversation until the third party approves the new banking details and confirms the transaction. If the bank rejects the transaction due to a mismatch in the account currency, beneficiary name or any other reason, the attackers are there to fix the rejects until the money is in their own hands.
“These are times in which wire transfers are very common – from day-to-day actions to government stimulus packages for both citizens and businesses,” says Check Point manager of threat intelligence Lotem Finkelsteen.
“I urge everyone to pay extra attention to what goes in and out of their inboxes, for you may be corresponding with the Florentine Banker.”